Ubuntu Manpage: Mail::SpamAssassin::Plugin::OLEVBMacro - scan Office documents for evidence of OLE Macros or other

Provided by: spamassassin_4.0.2~rc2-1_all

NAME

       Mail::SpamAssassin::Plugin::OLEVBMacro - scan Office documents for evidence of OLE Macros or other
       exploits

SYNOPSIS

         loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro

         ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
           body     OLEMACRO eval:check_olemacro()
           describe OLEMACRO Attachment has an Office Macro

           body     OLEOBJ eval:check_oleobject()
           describe OLEOBJ Attachment has an Ole Object

           body     OLERTF eval:check_olertfobject()
           describe OLERTF Attachment has an Ole Rtf Object

           body     OLEMACRO_MALICE eval:check_olemacro_malice()
           describe OLEMACRO_MALICE Potentially malicious Office Macro

           body     OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
           describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted

           body     OLEMACRO_RENAME eval:check_olemacro_renamed()
           describe OLEMACRO_RENAME Has an Office doc that has been renamed

           body     OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
           describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip

           body     OLEMACRO_CSV eval:check_olemacro_csv()
           describe OLEMACRO_CSV Malicious csv file that tries to exec cmd.exe detected

           body     OLEMACRO_DOWNLOAD_EXE eval:check_olemacro_download_exe()
           describe OLEMACRO_DOWNLOAD_EXE Malicious code inside the Office doc that tries to download a .exe file detected

           body     OLEMACRO_URI_TARGET eval:check_olemacro_redirect_uri()
           describe OLEMACRO_URI_TARGET Uri inside an Office doc

           body     OLEMACRO_MHTML_TARGET eval:check_olemacro_mhtml_uri()
           describe OLEMACRO_MHTML_TARGET Exploitable mhtml uri inside an Office doc
         endif

DESCRIPTION

       This plugin detects OLE Macros or other exploits inside Office documents attached to emails.  It can
       detect documents inside zip files as well as encrypted documents.

REQUIREMENT

       This plugin requires Archive::Zip and IO::String perl modules.

USER PREFERENCES

       The following options can be used in both site-wide ("local.cf") and user-specific ("user_prefs")
       configuration files to customize how the module handles attached documents

       olemacro_num_mime (default: 5)
           Configure the maximum number of matching MIME parts (attachments) the plugin will scan.

       olemacro_num_zip (default: 8)
           Configure  the maximum number of matching files inside the zip to scan.  To disable zip scanning, set
           0.

       olemacro_zip_depth (default: 2)
           Depth to recurse within zip files.

       olemacro_extended_scan ( 0 | 1 ) (default: 0)
           Scan all files for potential office files and/or  macros,  the  "olemacro_skip_exts"  parameter  will
           still  be  honored.   This  parameter  is  off  by  default,  this  option  is  needed  only  to  run
           "eval:check_olemacro_renamed"  rule.   If  this  is  turned  on   consider   adjusting   values   for
           "olemacro_num_mime" and "olemacro_num_zip" and prepare for more CPU overhead.

       olemacro_prefer_contentdisposition ( 0 | 1 ) (default: 1)
           DEPRECATED: This option is deprecated and will be removed in a future release.

       olemacro_max_file (default: 1024000)
           Limit the amount of bytes that the plugin will decode and scan from the MIME objects (attachments).

       olemacro_exts (default: (?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
           Set  the  case-insensitive  regexp  used  to  configure  the  extensions the plugin targets for macro
           scanning.

       olemacro_macro_exts (default: (?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xps)$)
           Set the case-insensitive regexp used to configure the extensions the plugin treats  as  containing  a
           macro.

       olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx)$)
           Set  the  case-insensitive regexp used to configure extensions for the plugin to skip entirely, these
           should only be guaranteed macro free files.

       olemacro_skip_ctypes (default: ^(?:text\/))
           Set the case-insensitive regexp used to configure content types for  the  plugin  to  skip  entirely,
           these should only be guaranteed macro free.

       olemacro_zips (default: (?:zip)$)
           Set  the  case-insensitive regexp used to configure extensions for the plugin to target as zip files,
           files listed in configs above are also tested for zip.

       olemacro_download_marker (default: (?:cmd(?:\.exe)? \/c ms\^h\^ta ht\^tps?:\/\^\/))
           Set the case-insensitive regexp used to match the script used  to  download  files  from  the  Office
           document.

perl v5.40.1                                       2025-08-11             Mail::SpamAssas...gin::OLEVBMacro(3pm)